Announcement date
17 July 2023
Link to announcement
APRA finalises new prudential standard on operational risk | APRA
Problem being addressed
In recent years, APRA-regulated entities have experienced operational risk events and failures that have had both financial and non-financial implications. APRA has observed three key trends: control failures, potential disruptions and increasing reliance on service providers.
APRA’s policy development to enhance operational risk commenced in 2018 with APRA’s proposal to introduce information security requirements for all APRA-regulated entities. At that time, it was determined that information security requirements should be given first priority given the clear and pressing need to address the emerging issues in this area. As such, introducing prudential requirements on information security, ahead of other requirements on the qualitative management of operational risk management was adopted. The current policy development on operational risk management requirements reflects a continuation of that approach.
Proposal
Review and update two existing cross-industry prudential standards, Prudential Standard CPS 231 Outsourcing (CPS 231) and Prudential standard CPS 232 Business Continuity Management (CPS 232) and introduce a new cross-industry standard, Prudential Standard CPS 230 Operational Risk Management. This standard will set out minimum standards for managing operational risk, including updated requirements for business continuity and service provider management. This new standard will subsume CPS 231 and CPS 232.
Assessed Impact Analysis outcome
Certified Independent Review
Assessment comments
Consistent with the Government’s Impact Analysis (IA) requirements, the independent review has been certified by APRA as meeting the requirements of an IA. The Office of Impact Analysis (OIA) does not assess the quality of independent reviews and IA-like documents used in lieu of a IA, but does assess whether the options analysed in the independent review are relevant to the regulatory proposal. The OIA assessed that the options analysed in the independent review were sufficiently relevant to the regulatory proposal.
Regulatory burden
APRA estimates these measures will result in an increase in regulatory costs of $22.9 million per year, averaged over ten years.